How NSA tries to compromise Tor anonymity. Tor Stinks document

Tor anonymity has been debated many times, according to majority security experts it was one of the most secure ways to stay online being far from prying eyes avoiding government surveillance.

Recently a series of events have completely changed this conviction, last year groups of researchers demonstrated the possibility to track users also on Tor networks, thanks to a technique dubbed Traffic Correlation attack it is possible to break Tor anonymity. A few weeks ago it was spread the news that law enforcement was able to discover the Tor user’s identity exploiting a flaw in the Firefox browser.

In the last month also Tor network has lost a couple of its most popular entities, Freedom Hosting service and SilkRoad illegal marketplace were shut down by the FBI, circumstances that suggest that the U.S. Authorities have found a way to track criminals (or have simply decided to apply it) even if protected by the Tor anonymity.

Yesterday Edward Snowden released a new classified intriguing NSA document, titled ‘Tor Stinks’ in which the intelligence agency admits to being able de-anonymize a small fraction of Tor users manually.

“We will never be able to de-anonymize all Tor users all the time’ but ‘with manual analysis we can de-anonymize a very small fraction of Tor users'”

The document also reveals that NSA was working to degrade the user experience to dissuade people from using the Tor browser.

The NSA strategy relies on the following principles to unhinge Tor anonymity.

Infiltrate Tor network running its Tor nodes. Both the NSA and GCHQ run Tor nodes to track traffic back to a specific user, the method is based on the circuit reconstruction from the knowledge of the ‘entry, relay and exit’ nodes between the user and the destination website.

Exploiting zero-day vulnerability of Firefox browser bundled with Tor, with this technique NSA was able to get the user’s IP address. In this way the FBI arrested the owner of Freedom Hosting service provider accused of aiding and abetting child pornography.

NSA also uses web cookies to track Tor user widely, the technique is effective also for Tor Browser. The cookies are used to analyze the user’s experience on the Internet, the intelligence agency owned or controlled a series of website that was able to read last stored cookies from the browser on the victim’s machine. With this technique the agency collects user’s data including the IP address. Of course expert users can avoid this type of control in numerous way, for example using a dedicated browser for exclusive Tor navigation, using only the official preconfigured Tor bundle or properly managing the cookies stored on their machine. Unfortunately the surveillance methods appeared effective for a huge quantity of individuals. I always suggest to use a virtual machine with a live OS for protecting your Tor anonymity, cache and cookies in this way will be lost once the machine is shut down. Documents leaked by Snowden show that the NSA is using online advertisements i.e. Google Ads to make their tracking sites popular on the internet.

The concerning aspect of the history is that other governments could use similar techniques to monitor Tor networks, let’s thing to countries such as China, Iran and Syria in which censorship is very strong.

The good news is that despite their effort intelligence agencies are not able to compromise the Tor anonymity for the entire network … maybe.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.